How To Write A Simple Cyber Security Plan For A Small Business

We've put together a simple guide to help you write a cyber security plan for your small business.  If you have any questions or need further advice please get in touch.

Creating a cyber security plan for a small business is a vital part of your cyber security defences. Almost half (43%) of cyber-attacks target small businesses. Creating and following a simple cyber security plan is the best first step you can take to protecting your business. It’s one of those business essentials you don’t want to do without and something far too SMEs don’t bother with, but only takes a few hours to draft. Larger companies with more complex needs will require a more sophisticated plan than this; get in touch if you'd like our help.

Checking your computers should only take 20-30 minutes max per machine (if it can’t be automated). Here’s how to build your own working business IT security plan for a smaller business. You can have your cyber security validated via Cyber Essentials verification which we can certify you too.


What level of IT security expertise do I need?


As long as you can browse the web, edit a document and run an application, you already know enough about technology to protect your organisation at a basic level. Don’t let anyone put you off. Compared to the potential risks your business faces from unsecured IT, investing in cyber security always delivers a considerable return on investment.


Create a super-simple sample cyber security plan

The first draft of your company’s business plan doesn’t have to win any awards, run to hundreds of pages or be full of fine detail. It just needs to outline the threats you face, establish sensible common-sense policies and assign responsibilities for taking action.

The best plans may be simple, but they’re also dynamic, just like the systems they protect. Everyone involved should take note of which policies are working and which need to be refined, changed or just thrown out and started afresh. It’s all about gathering together and formalising the knowledge you need to give yourself the power to control your IT security.


Your objective


It always helps to distill your objective down to its most basic and potent form, so you know what your aims are. For many businesses, this may include aims such as:

  1. Protecting our intellectual property and financial data

  2. Meeting our regulatory and legislative obligations

  3. Showing our suppliers and clients that we treat the security of their data seriously

Your team members


List your employees and allocate a cyber security task to each relevant person. For example:

  • Peter Smith – Head of sales – Responsible for overall IT security

  • Theresa Jones – Tech support – In charge of all security-led technical changes

  • David Davis – MD – Tasked with scheduling and managing monthly checks


Assessing your threat


What are your digital assets? List them all, including emails, client work files past and present, financial records, marketing collateral, staff information, project plans, schedules, customer data, contracts, and any other information you want to protect. Then list the risks that thes assets may face. You might identify things like:

  1. Accidental damage, for example, dropping a tablet and breaking the screen

  2. Natural disasters such as flood and fire

  3. Employee negligence, for example, accidental file deletion

  4. Employee misconduct, for example, stealing customer data

  5. Crime, for example, a break-in at your premises

  6. External risks like malware attacks and industrial espionage

  7. Technical failure, for example, the death of a vital server

  8. Security policies

Creating the plan


Now you’ve formalised your digital assets, the risks they face and the people responsible for managing those risks; you have everything you need to make basic plans about how to mitigate the risks. You might include items like the following:


  1. Switching email to Microsoft Office 365 to ensure that our mail gets swept for viruses, archived and kept secure

  2. Moving data to a central file server

  3. Discourage staff from storing information on their local PCs

  4. Backup vital data every day – with local copies and in the cloud

  5. Storing critical customer and business information on SharePoint online

  6. Only staff working on a given project will have access to that project’s files

  7. Restricting access to business information like our accounts and payroll to a limited number of people on a need-to-know basis

  8. Setting up BitLocker on all company laptops to encrypt files in case they are lost or stolen

  9. Security-marking every laptop

  10. Getting a security company to audit our physical security, locks, and alarms once a year

  11. Updating our internet use policy with our lawyers and train new staff about it

  12. Ensuring everyone in the company is familiar with our IT security procedures

  13. Hold yearly training for the whole company to keep security knowledge fresh

  14. We will spot-check regularly to make sure IT security is being taken seriously, and our protocols are being followed


It’s a reasonably simple exercise, but even a basic cyber security plan can save you a world of pain. Integrity to this process is added by using an external company to audit it and your cyber security as a whole, such as with the Cyber Essentials Plus certification.

Further Reading: The Complete Guide To Cyber Essentials


St Bride Foundation

14 Bride Lane




Free Tools

©2019 by Forensic Control  All Rights Reserved.      

This site uses cookies to enable certain functions. By using this site, you consent to the use of cookies.